CHAPTER
12
When and When Not to Act
image
 
You’ve invested your valuable time reading this book, and we’ve covered a lot of topics related to cyber threats. In this chapter, we will tie all of it together and help you figure out what you can do with this information. From understanding the issues that could compromise your crown jewels and being aware of the legal ramifications of taking action or not taking action, you know you need to do something, but what?
So far, we have provided some examples and situations to assist you in your daily activities. You may have been deceived. You may have been hacked. You may have already increased your network security to no avail. Your legal advisors may not be up to speed on the laws governing this domain. At this point, you’ve had about enough. But before you run off and do something hasty, take some time to read this chapter. It provides some information to help you with your troubles.
The goal of this chapter is to provide a quick reference if you need help when you encounter someone who has gained unauthorized access to your network. You may recognize some of the material from other chapters, but we will also address some other issues. So sit back, breath, relax, and let’s talk about protecting yourself in the face of known and unknown adversaries.
Determining Threat Severity
How severe is the threat? This has become the age-old question of the information security and incident response era. The answer is not always clear. If you are a new or small business, you probably do not have the technical expertise on staff to help you determine which events qualify as incidents, warranting increased attention. If you are a larger company, you may have standard operating procedures that help you determine when to mobilize and call your technical personnel into action; but as with all things in the digital realm, not everything fits nicely inside a package for each situation.
Let’s be clear about one thing: you can’t predict or protect everything. You may spend a tremendous amount of time and effort to put every measure in place to protect your network, but one misstep by an average nonprivileged user could wholly compromise all that you have done. However, in the conduct of your daily monitoring, you will need to distinguish when to expend your resources to investigate suspicious activity and when you can chalk it up to a minor threat that can be remedied with minimal intervention. That depends on your ability to determine the severity of the threat you have just identified, which will help you take a logical step to deal with the problem at hand. Stuff happens, and it will happen again. A threat to your network, and possibly your livelihood, has reared its ugly head. Whether the threat is already in or you have information that it is coming, how you react must depend on the true threat it poses. Let’s take a look at a couple of scenarios.
Application Vulnerability Scenario
You take seriously the responsibility you have to maintain a secure environment in which the employees can perform their daily tasks. You notice a recently published security advisory highlighting a newly identified vulnerability in one of the applications your company uses often. What is your next step? If you feel that you need to meet this challenge by first thinking critically about the threat, you are correct. Before mobilizing your limited resources, you need to determine just how much of a threat this poses to you and your company. Okay, it’s a new vulnerability—it stinks, but it happens. Here’s the first question you should ask: Is this something you need to worry about?
You do a little more reading and discover that this vulnerability was fixed with the last patch issued three months ago. If you routinely apply operating system and application patches soon after they are released, then you can probably rest easy, realizing that the threat severity to your network just decreased dramatically. If you never applied that patch, then you may want to push it out to your machines, while analyzing and monitoring those same machines to ensure they were not compromised because of the vulnerability.
In this example, relying on patches was an easy way to solve the problem. However, this approach could prove risky in some cases. You also need to look at the nature of the exploit and vulnerability. For instance, does an attacker require physical access to the machine? If so, then you will need to rely on your trust in the employees in your organization, as well as your access-control mechanisms. If the vulnerability can be exploited via remote access or physical access, then you will also need to check your network logs to determine if traffic related to this exploit has passed through your network. And is your firewall set up to stop this kind of incoming and outgoing traffic via the rules you have established? Now you are really starting to see the nature of the threats in this domain. Many times, there is no simple answer.
Targeted Attack Scenario
Now let’s consider a situation where your company has drawn the ire, for some reason or another, of a group of malicious actors. You discover they want to take down your website. In this instance, you don’t have a collateral threat to your network; you have a direct threat to a system that is one of your sources of revenue.
If your site goes down, you stand to lose money each minute it cannot be reached by potential or returning customers. Now is the time to call your group together and come up with a plan of action. Do you want to ensure your web server has the latest patches for all the software running on it? Absolutely. Should you ensure that your firewall and IDS are functioning properly to help protect and alert you to the activities that may be coming your way? Without question. You’re following the trend here, right? Now you have identified a direct threat, and it’s time for action.
There is no possible way to cover all the actions you should take, but when you deem the threat is severe, ensure you act in accordance with your standard operating procedures. Think critically about the threat posed to your network, and then act accordingly. There is nothing worse than being that chief security officer, chief information officer, or network manager who “cries wolf” all the time.
What to Do When It Hits the Fan
At one time or another, “it” will hit the fan. Your sacred domain has been infiltrated. Now is the time for action. The burning question you will want to ask is, “Who has done this to our organization?” However, at this stage in the game, it is not the most important question to answer; that will come later. Your tools to monitor logs and real-time traffic have just become your new best friends.
From the moment you notice the infiltration, you need to make a plan. You should already have an overarching plan to handle events and incidents such as this, but each situation is unique. Depending on the actions you want to take, you may need management’s approval. You will need to begin examining your logs to determine how the intruder gained access, which systems were compromised, and so on.
Block or Monitor?
After you’ve gathered some information, one decision you need to make is whether to block the intruder’s entry point. There is some value in watching what your adversary is doing on your network, although this idea may be completely counterintuitive to many security managers.
If you catch your adversaries in the act, do you want to watch them to see what they are going after, determine their methods, and understand what they have done and are doing on your network? Or do you want to cut off their avenue of approach immediately and start the triage process? That is a question you must answer for yourself. For the less experienced, you might want to stop them now and move to the incident response phase. For the more experienced, you could make the case to management (and probably the lawyers) to study your enemy for a finite amount of time, which could reveal things you might never discover by just going through the logs.
Some organizations already have in-place procedures to immediately take the infected systems off the network, rebuild them, and patch them to the point where that infection is void. Each situation is unique and will largely be driven by your company’s policy.
There is one fact you must accept though: no matter what you choose to do immediately (block or monitor), just closing the hole they used to gain access to your network does not mean you are in the clear. If they got in, they likely installed another way to get back in via a backdoor of some sort. If you’re monitoring, you should determine all the ways they are gaining access to your network. Also, go back through your logs to see how they gained access initially. Do they match? If they do, you may be in the clear—the key words are “may be.”
Isolating the Problem
As mentioned previously, your logs and/or real-time traffic monitoring will be your guide to where you need to focus your efforts next. You’ve determined how they got into your network, and you’re on the lookout for other possible avenues of approach. Now isolating the problem is key to saving your network.
Which systems on your network have been compromised? In a perfect situation (as perfect as this can be), only a few systems were compromised. In this case, you can take these systems offline and rebuild them, ensuring that the vulnerability is patched before you place them back online. Now, although it is very easy to say that you will “rebuild machines,” this involves many implied tasks: reinstall each machine based on a pristine image you have for all machines on your network, install all applicable patches on each machine, recover data from the backup server (after you have scanned the data to ensure none of it is malicious), and change the passwords for users of that machine. That is just an example of what you may need to do in this case, but keep in mind, it all depends on the situation.
In the worst case, the intruder was able to move laterally through your network and gain access to many of your machines. It will take you a little longer to determine how to proceed in this scenario. You may need to rebuild many machines, implement company-wide password changes, and check the integrity of data within your data stores, among numerous other response actions.
One of your primary concerns after finding out how they got in and what they compromised is ensuring that you remove all possible traces of their presence. If you miss one of their entry points, they will return—again and again. Completely eradicating the enemy from your network is critical before you can perform a full recovery to normal operations.
Distinguishing Threat Objectives
Either during the process of removing the threat and restoring your network to a secure state or after the process is complete, it is necessary to determine why the intruders were in your network. This is a step that cannot be overlooked during your response to a compromise.
To fully understand future threats to your network, a historical perspective must be considered. You need to determine whether this was a target of opportunity or a targeted attack. As we’ve explained in earlier chapters, a target of opportunity is a compromise that results from a vulnerability being exploited because it was resident and publicly visible, meaning that intruders compromised your network because they could. A targeted attack is one that occurs because they are after something you have. They may deface your webpage or steal your intellectual property, but they came after you for a reason.
A thorough examination will need to occur for those questions to be answered. It may not be clear-cut either; analysis never is. You may need to rely on your experience and judgment to make an educated guess about the reason for the attack. When the infiltrators gained access to your network, what did they do? If they immediately went after sensitive information concerning your company’s latest product, you can reasonably assume that was their goal. In that case, the next question that must be answered is how the intruders found out where the information was stored. There may be an insider in your midst who supplied the location of the intellectual property, which was subsequently stolen.
Now suppose that the intruders did not access all of your intellectual property regarding one of your company’s high-profile projects. Some might be quick to decide that they took information just because they were able to access it while they were there. However, consider a scenario where they targeted the company and a specific subset of information because that was all they needed. What else about the project could they find on your website or through your favorite search engine? What else have they taken from your partner companies in the project? These questions need to be addressed as well to give you a better picture of why you were targeted in this attack.
As mentioned earlier, your logs will provide you with a lot of the information you need. Study the actions of your intruders. Understand how they operate. Critically look at what they did and how they did it. Some actions they took on the network are probably nothing more than a feint, meant to throw you off their trail. Other actions can provide you with a view into the reason they were there. What we have talked about in this section is only the tip of the iceberg. The concept can be applied in every situation, but every situation cannot be covered.
Responding to Actionable Intelligence
As used here, the term actionable intelligence refers to information you have obtained that can help determine what actions you should take against threats. This information will assist you in either protecting your network and information from future attacks or in determining the source and objective of past attacks.
Consider a situation where your sources have provided you with information that another company wants to acquire information related to your latest research and development efforts. You know that you are only a few months away from launching a game-changing product, and if the competitor acquired this information, it would mean ruin for your company. If you wonder if this could ever happen to you, just search for “commercial espionage” in your favorite search engine. Now anyone who has valuable information can make you a target, and you need to know what you are going to do about it. You really have several viable options.
In this day and age of all things cyber, you can hazard a guess that someone may attempt to breach network security to obtain your intellectual property. In this case, you will want to ensure that the security is tight. It’s better to leave nothing to chance. Also, as we have stressed many times in this book, no security is impenetrable. Gunter Ollman, who has spent more than 25 years in penetration testing, once said, “We have always gotten in.”
Consider turning the tables on your foe. If you are aware, you are prepared. Once you build it, they will come. The target’s objective is known, at least to an extent based on its end game. The subtle differences will be the injection vectors/entry points, tools usage, exfiltration techniques, and much more. You have taken measures to increase the protection of your prized and valuable information. What would happen if you placed some information on your network that looked like the real thing, but wasn’t? In this situation, you are the Greeks and they are the Romans in a modern-day version of the Trojan horse.
While we have focused a lot of our effort on actions in the digital realm, do not discount the likelihood that that your competitor will attack the weakest link in your chain: the employees. Attacks against the human element have occurred for centuries, because they have been, and likely will always be, successful. Your competitor could try to recruit one of your employees to provide information, preying on that employee’s need for money, dissatisfaction with his current position, or just because he can. Or you could face a more serious threat: the social engineer. Social engineering is a low-tech method for others to get unauthorized access to information, many times without you knowing that they gained the access. These two situations require management and security personnel to create and sustain a good user awareness program. An educated employee could be your last line of defense against commercial espionage.
All in all, actionable intelligence will help you plot your future course of action. Actionable intelligence is simply information that provides enough context of a series of events to aid the victim organization in developing its overall plan to engage and/or counter the threat using some level of actions. Hence, the word “actionable.”
Cyber Threat Acquisition
Cyber threat acquisition (CTA) is the practice of honing your sensor network specifically in on a precise threat that is actively operating with impunity across your enterprise. The preceding chapters have helped you build a dossier on the threat, and now you need to take some level of action against the threat.
CTA involves the skills of honing in on the precise observables of a specific actor and closing in on the threat from all sides, with enough intelligence that should help improve future detection techniques across your enterprise. Acting at the right time goes back to operating with timeliness against a focus. Continue reading to learn more about distinguishing actions that can help eliminate the threat and strengthen your enterprise security posture.
Distinguishing Between Threats
When you have numerous incidents where multiple systems are infected by unknown actors, how do you distinguish between the different groups? The answer always lies in the network data traversing your enterprise.
One method is performing link analysis on the various CnC servers each infection is communicating with. Another method is to actively engage actors in criminal forums to identify who is running which campaigns and/or using which tools. Some analysts attempt to begin at the host level and work their way up, which has been the standard operating procedure for incident responders for well over a decade. However, as we are all aware, crimeware in and of itself can be armored and packaged to appear as other families of malware and not relinquish any information as to the true tool. Cryptors, packers, and binders can alter and armor the actual bare crimeware agent that is used to pilfer victim systems and send the stolen data out of the network.
When distinguishing between threats, you can start at the host and look for observables based on a malicious sample’s actions. In some samples, you can identify the use of various sandbox technologies. There is also the network perspective, which you can leverage as another component for distinguishing between threats.
Here, we’ll look at some crimeware samples and then examine some of the network data from each of them to identify specific patterns or unique regular expressions we can build to distinguish between each threat.
Example: MD5 of Binary 18eb6c84d31b5d57b3919b3867daa770
We’ll start with a simple example:
image
As you can see, this sample performs a minimal set of actions on a host and then executes the following process:
image
This type of threat is a generic “run-of-the-mill” sample that performs simple actions against a victim’s system.
As you can see in the following example, this particular crimeware sample simply performed some specific checks via UDP to a remote IP address on port 1900:
image
The question presents itself: What are the unique characteristics associated with a variant of a campaign? There are a few observable traits that can be gathered between the host and the network layers. First, we will look at the host-based patterns. Initially, you can see that this sample interacts with a handful of directories, primarily locals~1 emp and C:.
You can visit www.Virustotal.com for more information about the actual executable that was initially loaded onto the victim’s system. The following is some high-level information on the binary itself:
image
As you can see, the sample was initially compiled on 8/29/2011 and was first processed by VirusTotal on 11/2/2011, which means this has been running around a while. This infers that the operator took some time to set up an infrastructure and then armored the binary some time later.
The overall detections point to a Zeus or SpyEye bot-based infection. This type of campaign can be based on numerous opportunistic and targeted groups. This leads us to the network usage of this executable, which should provide a little more information on the avenue of ingress and egress of the malware. Two different UDP streams are associated with this sample. The first is the initial check-in to a hacked web server that is hosting the botnet collector and is not a part of the victim’s infrastructure, but a completely different victim. The first UDP attempt is trying to connect to the domain fugue.com. What can we learn about that domain? Take a look at the first UDP stream:
image
image
image
This information illustrates that the domain itself has been registered for quite some time and is currently set to expire on 11/28/2011. We can see that the domain has been registered for a while via a German registrar, and is registered to a citizen in the United States and an IP address in the United States hosted by the Internet Systems Consortium. This requires us to dig a little deeper as to why a bot agent would want to check connectivity to a well-established server.
Now look at the next UDP stream generated by this executable, which is similar to a connectivity check for the crimeware agent:
image
Here is another example of the sample simply attempting to connect to a well-known IP address that is not an actual IP address, but a predetermined or expected response is the goal. This information was gleaned from less than five minutes of running the executable within a sandbox. Imagine if we ran this longer.
With this information, we can determine there is level of sophistication by using well-known servers to check connectivity, although this is more widely used today than most professionals think. The observable patterns from this can be seen as connections to fugue.com and the well-known IP address and port of 239.255.255.250, which should be enough to quickly identify other systems that may be infected by this operator.
If the systems that are connecting are Linux-based systems, you may not need to worry, as this infection is a Win32-based executable. However, the Linux-based systems could be propagating the Win32 malware to Windows-based systems.
Example: MD5 of 70cb444bf78da9c8ecf029639e0fb199
The following sample is a little more sophisticated than the previous one, and has been designed to perform additional actions that enable more stealthy and persistent functions:
image
image
image
After performing actions on a host, this sample executes the following process:
image
As you can see, this crimeware campaign is much more active than the previous example. It has numerous callback functions to a remote server upon initial infection, and updates itself upon exploitation and installation. This level of detail can help an analyst better understand what a malicious sample is doing
There are numerous paths in which the executable will read and write to files. However, there is an observable pattern that can be used for host-based detection. The primary paths you would want to look at are locals~1 emp, program filesjishu_204433, documents and settingsall usersdesktop, and :program filessoft204433.
image
image
image
Again, there is a unique pattern to this executable’s host-based intentions. By reading numerous DLLs, you can gather some information that will help you determine what the capabilities of the crimeware may be.
Now that we have taken a moment to review the host-based activity, let’s look at some of the network activities of this executable.
image
This executable not only attempts to check with time.windows.com, but also tries to connect to two other domains: www.teaini.com and oo.shmtb.info, which are both associated with an IRC bot-based virus or threat that has been recorded in public blacklists dating back to May 2011.
Processing Collected Intelligence
Now that we have analyzed both the host- and network-based activity for each example in the previous section, we need to identify which one has the potential to be the biggest threat, and whether each is targeted or opportunistic. What intelligence do we have on each malicious sample?
Example: MD5 of 18eb6c84d31b5d57b3919b3867daa770
For this example, we’ve gained the following intelligence:
imageThreat type Multipurpose bot/Trojan (well-known, high-profile threat, SpyEye or Zeus)
imageHost behavior Minimal and stealthy
imageNetwork behavior Minimal and time-based (requires more than five minutes in a sandbox)
This threat surrounds one of three of the highest ranked crimeware kits available today and should be addressed as soon as possible. These tools are used primarily by organized criminals who target both small and large enterprises. They target specific financial and other related system files. Additionally, this threat allows the victim to be used as a proxy.
Example: MD5 of 70cb444bf78da9c8ecf029639e0fb199
For this example, we’ve gained the following intelligence:
imageThreat type IRC-based bot (easily detected via IRC usage)
imageHost behavior Loud and noisy
imageNetwork behavior Enough data collected in the first round of analysis helped identify the CnC servers, and they are well-known abused/malicious servers
This threat surrounds an older family of crimeware that uses easily detectable techniques both at the host and over the network. This threat is lesser on the scale of threats than the previous example, and should be handed off to your incident responder staff, rather than the cyber counterintelligence group.
Determining Available Engagement Tactics
We have determined the differences between each threat and now need to identify which options are available to prevent any further infections and/or continued hemorrhaging of your network.
Typically, you have the following standard options with the commonly found enterprise security tools and devices located within and across an enterprise:
imageFirewall rules
imageHost IDS/IPS and network IDS/IPS rules
imageCustom host-based rules and policies to identify whether specific folders are created on a host
The following are some advanced tactics you might employ:
imageLoad the executable within a live honeynet/honeypot (sandbox?).
imageInteract with the infected host in a secure portion of the network and analyze how access to the system is being used.
imageImplement content staging by loading various types of documents onto the infected systems, and see which files are wrapped up and shipped out (what is of interest to the active threat).
The standard tactics can be implemented by any security professional. However, any of the advanced tactics should be run through your organization’s key stakeholders or even legal representatives to ensure your team has leadership coverage.
Engaging the Threat
Now that you have determined the allowed actions that can be taken, ranging from the legal to the illegal (not recommended), you are prepared to begin engaging your threat and start removing the threat from the network. However, one of the most important pieces of any action of engagement of an active threat is the ability to act all at once or not at all. Similar to a botnet or live criminal infrastructure, if just one position is left for access, the threat will try to reenter your enterprise, especially if this is a highly resourced criminal or state-sponsored organization. By now, you should be asking yourself, “What can I do then?” Well, here we go…
Within Your Enterprise
From within your enterprise network, you have almost every right to actively engage a real-time threat and remove it from your network. At the network layers is where the battle is initially fought. As stated in previous chapters, focusing on your hosts during a real-time intrusion is highly unreliable for actionable intelligence observables.
Once you have identified how the threat is getting in and out of your network, you need to sever those connections in order to begin remediation of your hosts, as they will continue to beacon out and attempt to communicate with the remote threat and try to take survivability measures on behalf of the focus.
From within your enterprise, you can perform almost any level of actions, including content staging, content filling, deception, and enticement. Honeypots can also be used as highly interactive IDSs that enable profiling at the network and session layer. Sandbox technologies can also have a high impact on enabling you to determine a threat’s method of exit, exfiltration, and return.
Just remember that once active targeted threats learn of your knowledge of their activities, they can become highly unpredictable, and their actions can range from not returning to taking a virtual crowbar to every system they have touched. Acting within your own enterprise is the highly recommended action versus external methods, which will be discussed next.
External to Your Enterprise
Threats operating across the Internet require numerous data points and variables. Network locations; IP addresses; static, dynamic DNS, or fast-flux domain names; server-side applications, such as SQL or FTP accounts; and a lot more techniques can be used. One of your tasks is to do as much intelligence collection as possible and learn as much as you can about all of these observable data points. Then you can take some actions against an active threat external to your enterprise.
If you know an IP address, you should report the abuse of the IP address to the hosting provider. You should also block the IP address across your network. But be aware that just blocking an IP address does not eliminate the threat. Also if a source IP address is actually a gateway IP address of an ISP, for example, blocking it may end up blocking many other legitimate users. Determine whether the source IP address belongs to the individual/residence/attacker’s unique IP address versus an IP that is a gateway of a network segment.
If you learned a domain name, report the abuse of the domain name to the registrar. Also, block the domain name across your network.
For server-side applications, scan the IP address/domain and attempt to identify which services are running on the host (remember that port scanning is not illegal). If you reside in a country that allows you to analyze and exploit any malicious services on that server, you can gather a plethora of information about the criminal operator via this method.
Working with Law Enforcement
A large topic of debate for almost every industry is whether or not to report the incident. Well, believe it or not, every world government’s law enforcement (LE) agencies have a top-ten list of threats they are interested in and actively investigating.
If you believe the specific threat is of a targeted nature and you may be one of many organizations hit by a specific threat, you can privately report the incident to LE. The members of the LE agency will work with you if you are willing to share your data with them. You’ll also need to let them know about every action you have performed against the remote CnC server to identify the threat level of the specific criminal campaign. Most LE agencies are highly interested in organized and state-sponsored threats, and will work diligently with your organization to try to attribute and apprehend the actors behind the criminal campaign.
You’ll need to determine whether you want to bring in LE early in the decision process, as this will inhibit some of the things you are allowed to do as a private researcher. If you commit a crime while performing adversary analysis or attribution, and then bring in LE after the fact, this could open you or your organization up to a legal can of worms. Several IT security professionals have taken the law into their own hands, only to be fired or worse for trying to do the right thing.
Working with LE can be a powerful asset, especially when dealing with highly motivated and well-funded threats. However, there are drawbacks that can land you in the hot seat, so please be careful how you approach each situation, and identify up front whether LE is an avenue you want to take.
To Hack or Not to Hack (Back)
There are several situations where hacking back can yield highly valuable results, and then there are times when it will simply land you in jail. For example, suppose you hack into a CnC server currently being investigated by LE, and they are monitoring the wire when you do this. You are trying to do good for your organization’s security posture, but in the end, it comes around to bite you in the ass. We know people who have done this and now are without a job or security clearance.
Now that you have been warned, here is a short list of things that can be gained from hacking into a criminal’s CnC back-end server (typically performed via attacking the server):
imageLook for vulnerabilities in the CnC back end, such as cross-site scripting (XSS), SQL injection, and session management.
imageYou can get help with attribution of the bot master and bot operators.
imageGenerally, the first one to five connections are the operator setting up the infrastructure. If you can circumvent their security of the CnC, you can identify some of the operator’s information:
imageRegistrar site login/password
imageE-mail login/password
imageVirtest (resilience provider services) login/password
imageDomain checkers (resilience provider services) login/password
imageBank accounts login/password
imageIncoming IP address
imageDon’t forget about all of the victims being stored in that CnC database.
This level of detail was performed in 2010 on more than 100 SpyEye CnC servers using a legal method that circumvented a flaw in session management between the collector and the gate of the SpyEye CnC server application. This allowed the team to infiltrate and collect the true identities of more than 100 active cyber criminals around the world operating and maintaining SpyEye botnets (little will they know until they read this book).
The most important part of the hacking back decision is whether you have legal authority to do so. If not, there is always the old hacker’s philosophy of don’t tell a soul and don’t get caught, and deny everything, and then direct anyone with questions to your lawyer.
Remember that we do not condone participating in illegal activities. However, there are circumstances where your organization will have the authority to perform some level of attack and exploitation against a criminal’s infrastructure, and we would rather have you on the right side of the law, which could advance your career. Otherwise, your career could take a drastic turn for the worst.
To What End?
Now that we have discussed the methods you can take to engage an active threat either passively or aggressively, we need to consider your “end game,” or your overall goals, which need to be planned up front. You must have an end game in mind when you approach a problem, or you won’t have a clear path to success or failure.
Do you want to simply gather intelligence on a threat and use that internally, or do you desire to engage LE and go the prosecutable route? That is a question only the legal or executive management can decide at the beginning of the effort per event and/or in accordance with a blanket policy that outlines how specific incidents should be handled by the various security teams within your organization.
By engaging the threat’s criminal infrastructure, will you increase the chances of retribution, or will you down the threat’s entire network? These are the things you need to think about up front before moving forward.
Finally, consider the impact of public reviews if it is discovered that your organization is working with LE to identify an organized or persistent threat. Refer back to Chapter 5 for a refresher on the legal perspective, what types of data are needed by LE, and how you can be best prepared.
Understanding Lines (Not to Cross)
Numerous national and international cyber laws apply to various countries. You need to fully understand the implications of your actions no matter which country you live in and which country is hosting the IP address. Some countries will look the other way if you are investigating a foreign criminal network. Other countries, like the United States, will prosecute you for going rogue and doing it alone.
There are numerous lines you should not cross. Again, we refer you to Chapter 5, which discusses online resources for information about cyber laws at large.
Remember that the criminals know the Achilles’ heel of security professionals. We have laws and ethics that draw a clear line you are not supposed to cross without prior authorization. Whatever country you live in, you should do some research on those laws and your boundaries in performing aggressive/active engagement of a specific threat or actor before you begin any type of in-depth investigation.
Conclusion
You have read a lot about the tools that can be used to circumvent a threat’s tactics and what you can do to better identify and weigh a threat’s severity within your network. There are numerous techniques and tactics that enable you, the counterintelligence analyst or operator, to engage an active threat, as discussed in Chapters 7, 8, and 9. Although international laws inhibit some tactics, you always have the option of working with LE, which can open certain doors and avenues you may have not thought possible. Please investigate what you can do and what you should not do from a legal and ethical position for your own career.
In the next chapter, we will wrap up all of these combined tools, tactics, and techniques and their ability to validate your organization’s security posture moving forward following various targeted and opportunistic threats.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset